Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE 1.2 WEBAUTH (CWA) + SELF PROVISIONING (NSP)

I'm trying to achieve the following for our employees, contractors and guest.

 

Guests and Contractors should be allowed to access the internet after successful auth on the ISE guest portal login page.

  • contractors (ldap contractor group) -> webauth -> internet
  • guest (internal ise db via sponsorportal) - webauth -> internet

 

Employees should be allowed to register their devices after successful auth on the ISE portal login page and they should be allowed to access the internet once their device is registered. So they don't have to re-enter the credentials every 2 hours. 

  • employee (ldap employee group) -> webauth -> nsp -> internet

 

In ISE i've created a custom portal with mobile device portal and self-provisioning flow enabled. At the moment I don't have any client provisioning Policy configured and I've set the Native Supplicant Provisioning Policy Unavailable: to Allow network acces. 

 

I'm currently experiencing problems with clients and they describe their problem as portal loop. when they enter their credentials they are redirected to the portal once again. I did move around some of the rules and it currently looks like this. At the moment i'm working remote and not able to replicate the problem myself. Any advice would be welcome and much appreciated. 

 

 

Is there any available documention about the builtin attributes in ISE. I'm especially interested in network use EQUALS guest flow.

5 REPLIES
New Member

Hi Patrick,I'm facing similar

Hi Patrick,

I'm facing similar problem as yours , but on wired . My contractor (I name it vendor) is redirect to guest portal , and when they login they were redirected to the portal again.

for the devices registration , I have set  the Native Supplicant Provisioning Policy Unavailable: to Allow network acces. 

my authorization rules as follows :

1- rules name : Vendor-wired  :  identity : registerddevices AND identitygroup: VENDOR  authorization profile: VENDOR-ACCESS

2-  rules name : WIRED-CWA  :  identity : any  condition: device-type:SWITCH  authorization profile: CWA-PORTAL

It looks like , when vendor is login , they are not hitting the first rule , although the device shows up in the registered devices , and the vendor account is in VENDOR identity group (local in ISE) , so they come back again to rules 2 , which redirect them to the CWA-PORTAL again .

did you find any hint for this problem ?

 

 

 

 

 

Cisco Employee

Is this a distributed

Is this a distributed deployment?  How many PSNs?  Does the redurect URL point to a static IP?

What is the version and patch level for the ISE?  WLC Code?

Best practice is not to set static IP in the redirect URL and let the PSN responding to
RADIUS to automatically be the one to which subsequent CWA requests are sent.  Otherwise,
the other PSN will have no knowledge of the session and will loop as shown.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

New Member

Hi Charles in my case , it is

Hi Charles 

in my case , it is wired and it is two nose deployment not distributed .

ise 1.2.1 with last patch 

url redirection is working fine , supplicants provisioning is ok , device registration is also fine . 

But after the user login he is redirected again to the portal .. The device is shown under registred devices , but the autho rule 2 is not being hit after user login .. The strange thing is that when I try again , the device registration portal ask again to register .. Although the device is under registred devices ...

i have no clue what's going on.,

 

 

New Member

Hi, I had simmilar issues

Hi, I had simmilar issues with my WLC. Finally I realized the ISE PSNs and WLC had a firewall between them.

So CoA through port 1700 from PSNs to WLC was closed. I had to open it for the CoA from PSNs to WLC could change the state of the connected client. And the loop finished.

I hope this helps.

Cisco Employee

Hi Patrick. It has been a

Hi Patrick. It has been a while since I have done web based device provisioning but from what I remember, I had to create two individual web portals: 1 for standard guest access and 1 for the device provisioning. I had to do this because having the "provisioning flow" option enabled caused issues for standard guests that were not doing device onboarding. 

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
219
Views
4
Helpful
5
Replies
CreatePlease login to create content